Posted
by
kdawson
on Tuesday June 22, 2010 @03:55PM
from the only-three-million-who-would-bother dept.

CWmike writes "With Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical. However, the first-generation iPhone and iPod Touch, as well as the much newer iPad, may have been left vulnerable to some or all of the 65 bugs. iOS 4 cannot be installed on 2007's iPhone and iPod Touch, and the upgrade is not slated to reach iPad owners until this fall. The bug count is a record for the iPhone, surpassing the previous high mark of 46 vulnerabilities patched last summer with iPhone OS 3.0. Formerly known as iPhone OS 4, iOS 4 included 35 bugs, or 54% of the total, that were tagged with the phrase 'arbitrary code execution.' It's unclear how many, if any, of the vulnerabilities affect Apple's iPad. The media tablet runs an interim version of the operating system, dubbed iPhone 3.2, that followed the February iPhone 3.1.3 security update. It's possible that some of the bugs patched Monday were fixed by Apple before it launched the iPad in early April. But according to the Common Vulnerabilities & Exposures database, it's likely that many of the flaws fixed on Monday still exist in 3.2."

If another person claims a "record" on the number of bugs fixed in an apple release out I'm gonna jump off a fucking cliff.

Bugs are not good. Lots of bugs are worse. Fixing them? You don't get a medal, you should have done it right the first time. Yes it's good to patch them, but it's not something to break out the champagne on. When I fix a huge bug list my boss says "about time", not "good job! way to work!".

... and they don't allow any other (real) browser on the phone, either. I might be parroting comments from above, but if this was a certain other large technology company the vitriol here would have been through the roof.

This might be a perspective thing, but I read "Company X has patched a record number of security holes" as a negative thing, not as something the OP or company X is reporting to gloat about. I've taken the liberty of reading the links by the OP (shocking, I know), and didn't find any of them to really be coming across as something that anyone is looking for a pat on that back for (and for the record, I didn't see an official comment from Apple on their "record patch job").

Granted, some fanboys will try and spin it into a positive of some kind

Well yes, that's the problem. Companies just kind of matter of factly send out patches, and the kool aid crowd turns every negative into a positive. Every time I see one of those comments I wonder if the poster is an employee of that company, heavily invested in its stock, or is just a batshit insane loser.

Apple seems to be getting more and more like Microsoft every day. I agree; bug fixes shouldn't be "look how great I am, I'm fixing bugs" it should be "We're sorry for the inconvienience and will try to program less incompetently next time. We hope these bug fixes don't brick your hardware." Plus, TFS says the upgrade is not slated to reach iPad owners until this fall. WTF???

Funny how M$ us to be on top and all you'd read about was the security vulnerabilities left unpatched and with apple on top, with their new line of hardware, are having the same issues. I wonder if we'll ever see something like the Melissa virus, or the iJerk.

With Apple finally gaining in the markets, it's becoming profitable to create exploits. While the fanbois would have you believe that Apple products simply weren't exploitable, the simple facts are that 1) there simply weren't enough Apple products in the wild to justify an exploit, and 2) Apple seems to prefer the "silent failure" route (which, admittedly, is less obvious than a BSOD) so users don't know they've been compromised.

Now that devices like the iPhone, iPad, even iPods have become all but ubiqui

Well, since you seem to know what you're talking about, how about providing links to all these viruses and malware? The iPad alone has sold 3,000,000 units in three months - surely, with all these vulnerabilities, something must be out there for such a popular item, right?

The iPhone and iPod have been "ubiquitous" (not quite, but very popular) for ages. Nothing has happened. I wonder why.

In the old days, in addition to Microsoft's OS being an open door, a lot of those computers were left on the open internet, making it easy for viruses to find computers to attack. Also, OS distributors didn't really catch on to the idea that leaving services open was a bad idea (it just seemed like being a good netizen to leave your finger port open). For example, I don't think RedHat stopped shipping with the FTP port open by default until 2001 or 2002. And that was a secure OS, Windows was much worse.

As to viruses, being a big fat target is only one of meny reasons MS gets so many viruses, MS software simply isn't written with security in mind; security is an afterthought with them (Adobe is as bad or worse, as are some other companies).

There have been no ipad core OS updates of any kind since its release. This includes expected improvements like software tweaks to make wifi more reliable. There were rumors that the ibooks app was released on the App Store so it could get more frequent updates than the core OS, yet it has only had one major update (yesterday's, adding PDF support and a few other features).

Web rendering engines have security vulnerabilities, and webkit is no exception. Since Apple allows no competing renderers (alternati

Hopefully the official iOS 4 release means the developers/QA people have some time to work on iOS 3 patching.

I'd hope that instead of spending that time patching iOS 3 they just try to release iOS 4 for iPad much sooner (that'd probably be the largest gain, after that if they really want they can work on porting the changes so the people with an original iPhone have security fixes, but I don't actually know the if the numbers would make it worthwhile).

I'd hope that instead of spending that time patching iOS 3 they just try to release iOS 4 for iPad much sooner (that'd probably be the largest gain, after that if they really want they can work on porting the changes so the people with an original iPhone have security fixes, but I don't actually know the if the numbers would make it worthwhile).

You have to support recent releases of your operating system with security updates, as not everyone is going to upgrade to the latest and greatest OS for any number of reasons. Lots of people with the 3G are reporting performance issues with iOS 4 (and few benefits). Until this release, OS updates for the ipod touch weren't free as well.

This becomes extremely important in the enterprise, where changes are handled more carefully. These mobile platforms seem to be way too fast of a moving target, though. Even Mac OS X gets deprecated fairly quickly relative to enterprise schedules. It's clear that Apple just isn't targeting them, which I think is a shame.

Why would they target them? Apple thrives from making throw away iDevices. Making their appliance-like product have any kind of longevity would stop people doing the mac upgrade treadmill every 1-2 years.

The price you pay for being with apple is being at their terms, they want to limit functionality as much as possible to create a simple user experience. I can't imagine that going well with enterprise either.

I read that the iPad might, possibly, maybe kill it's owner after 30 days of non-use. I know there haven't been any cases of iPhones, iPads or iPod touches attacking and killing their owners, but that doesn't mean you shouldn't fear it. Better safe then sorry!

Upgraded my iPhone to v4 last night, now it doesn't work with my Pioneer (DEH-3200UB) car audio deck. Talked to Pioneer and they pointed to Apple. Spoke with Apple and was told "sorry". Maybe the iPad users are the lucky ones.

probably, after installing 4.0 on my ipod the app store requested i take the time to read *109* pages of EULA before updating some apps.. I can only imagine how many pages i ignored to install that update in the first place..

Also, Fuck you apple, why do you need 3GS type hardware in order to have the option for orientation locking? i fully realize that my 3G ipod (8gb, so actually a 2G with a new sticker) probably hasnt got the memory for serious multi-tasking, but no orientation lock? WTF

65 bugs that I won't get patches for in my 1st Generation Ipod Touch. What is the point of paying a premium for hardware, when the control-freak sole arbiter of software patches renders it functionally obsolete long before its useful life has expired?

Don't you know, Apple has determined that it is a bad business practice to support older products or OSes, anything more than a few years old. But you're free to buy the new version that will be supported!

65 bugs that I won't get patches for in my 1st Generation Ipod Touch. What is the point of paying a premium for hardware, when the control-freak sole arbiter of software patches renders it functionally obsolete long before its useful life has expired?

Yeah, after 3 years you no longer get updates because your hardware is obsolete. Name one other smartphone/media player vendor that still releases updates for their hardware after it's 3 years old.

The name "jailbreak" comes from the fact that hacking the device involves taking down the BSD jails that userland processes run under. BSD jails provide app sandboxing preventing apps from taking over the phone. While these flaw might be a concern, they are only a concern if the exploit contains some sort of jailbreak payload with malicious content packaged in.

If you are worried about exposing your personal data, don't jailbreak. I've tried it in the past and I'll never jailbreak again.

How can they talk about how Apple Products don't suffer from viruses or other Malware when they are patching record numbers!

How? Well, first, they've never said this. But they have said any such problem is way less than on Windows, which it is. And the iPhone/iPad? Aside from that exploit a while back that affected jailbroken iPhones with a default ssh password, what malware is there for iOS?

None?

Hmm... Perhaps that's how they can say the things they actually do say.

They have said this. Not in some press release or an interview from Jobs, but in other adverts like radio. They have a Mac commercial airing right now that says Macs are virus-free. If I can get a recording of it I'll host it and link it.

They have said this. Not in some press release or an interview from Jobs, but in other adverts like radio. They have a Mac commercial airing right now that says Macs are virus-free. If I can get a recording of it I'll host it and link it.

Apple does not have radio advertisements. Definitely not in the US, perhaps in another locale (although I wouldn't expect it).

I'm more surprised that a phone is subject to so many vulnerabilities. Yet again, it is a pretty sophisticated piece of software. Hence, thanks for fixing the stuff, Apple; better late security than no security.

According to the article, 50 of the bugs are bugs in Webkit (side note: which would mean these bugs are likely present in Android, as Google uses Webkit for their browser, too), so it appears that web browsing is the most sophisticated piece (understandably.)

bugs in Webkit (side note: which would mean these bugs are likely present in Android, as Google uses Webkit for their browser, too

That may be the case, but I wouldn't bet on it. The rendering engine is the same, but everything else is different - Android is based on Linux, iPhoneOS is based on Darwin. Different platforms, different architectures, different builds.

Following that reasoning the bugs should also be in Chrome and Safari on Linux, MacOS, Windows...

That may be the case, but I wouldn't bet on it. The rendering engine is the same, but everything else is different - Android is based on Linux, iPhoneOS is based on Darwin. Different platforms, different architectures, different builds.

Following that reasoning the bugs should also be in Chrome and Safari on Linux, MacOS, Windows...

Webkit is the rendering engine. If the bugs are in Webkit, then they are in all the products that use Webkit.

That may be the case, but I wouldn't bet on it. The rendering engine is the same, but everything else is different - Android is based on Linux, iPhoneOS is based on Darwin. Different platforms, different architectures, different builds.

Following that reasoning the bugs should also be in Chrome and Safari on Linux, MacOS, Windows...

Webkit is the rendering engine. If the bugs are in Webkit, then they are in all the products that use Webkit.

They have updated apps such as Google Maps without an OS update. I don't see why they *couldn't* update the browser, other than the fact your version of Android may not run it (through fault of OEMs, carriers and Google allowing the fragmentation).

Hence, thanks for fixing the stuff, Apple; better late security than no security.

If you replaced Apple with Microsoft and posted that same statement, do you think you would have been rated Interesting or would you have been modded into negative oblivion with Flamebait or Troll? Why is it that Apple gets a free pass on everything it does half-assed regarding security, yet Microsoft's feet are held to the fire instantly?

Someone is going to post some long justification about exploits in the wild and some blah blah about monopoly. Whereas when it's about MS it's 'M$ can't code'. Apple gets a free pass on everything, including DRM in the iPhone and Trusted Computing.

Apple seems to have a particularly strong fanbase even amongst geeks which can't take valid criticism and does not hesitate to use their mod points for days after a story to stamp out any posts that can be construed as negative towards Apple.

Apple seems to have a particularly strong fanbase even amongst geeks which can't take valid criticism and does not hesitate to use their mod points for days after a story to stamp out any posts that can be construed as negative towards Apple.

Eh, I posted a few things the other day that weren't positive towards Apple but they were knocking down a few overzealous anti-Apple rumors and myths. I got modded down for it. It happens on both sides, a lot of people here are overly emotionally-invested in things and they tend to lash out rather than use reason.

The funny thing is that I've been capped at the highest level of karma forever and the downmods were reversed in a few days by upmods and meta-moderation. It's no biggie and I never find it useful

No different than the above being marked troll. It is certainly not 'trolling' under any definition. There have been no mass exploits for Apple since they moved to Intel unless someone would be kind enough to point one out? The modding has nothing to do with the content in the post, but rather the fact that someone dared to defend Apple. Anymore it's become a total waste of time to even read Apple threads. They are full of vitriol and hate. Not from the expected Apple fans, but from the anti-Apple (droid?)

Can you point to any actual reason to worry about your bank information being vulnerable from an iPhone? There was that exploit a while back that affected jailbroken iPhones that had a default ssh password (which didn't compromise bank info anyway). But that's *not* caused by any of these security updates. In fact, the users had to go quite a bit out of their way to make themselves vulnerable in the first place.

Can you point to any actual reason to worry about your bank information being vulnerable from an iPhone?

You need help to see the problem with your e-banking platform being compromised? You dont see a problem with handling your credit-card data using a computing device that potentially has just about anyone listening-in in the background?

Now obviously the iphone isnt that leaky, but if some of these vulnerabilities marked "arbitrary code execution" could lead to key-logging software being secretely installed, that would be a rather big issue, especially since lots of people still see the iphone as a phone (an

which wouldnt be an issue with a competent security model and process seperation, what modern OS allows one userland proces to snoop on another one?

Are you serious? Do you even understand what a jailbreak is? By default, all userland apps run inside of BSD jails on the iPhone/iPad/iPod Touch, hence the name "jailbreak" where you deliberately hack the phone to destroy those jails. This is why jailbroken devices are more vulnerable to attack. They are wide open after you destroy the security model that provides process sandboxing.

what i meant is, that multitasking (as in apple doing it, not jailbreaking), shouldnt open the door for keyloggers, as TheSunborn suggested, my comments have 0 to do with jailbreaking, or jailbroken phones, if anything, your explanation of jailbreaking solidifies my argument that multi-tasking (if done properly by apple) should not pose any security risk at all

Can you point to any actual reason to worry about your bank information being vulnerable from an iPhone?

You need help to see the problem with your e-banking platform being compromised? You dont see a problem with handling your credit-card data using a computing device that potentially has just about anyone listening-in in the background?

Where did I say I wouldn't have a problem with my banking info being compromised? I asked for a citation of this actually happening on the iPhone due to a security flaw.

Now obviously the iphone isnt that leaky, but if some of these vulnerabilities marked "arbitrary code execution" could lead to key-logging software being secretely installed, that would be a rather big issue, especially since lots of people still see the iphone as a phone (an appliance), rather then a computer, with all the needed security worries

Except that no such exploit exists. There have been "arbitrary code execution" flaws in parts of Mac OS X since the beginning, and as far as I am aware, not a single exploit, not even a proof-of-concept (which is somewhat surprising).

The problem is that taking advantage of possible "arbitrary code execution" flaws in Mac OS X is difficult. F

A phone which is able to broadcast your real-time location.A phone which has all your mails, all your texts and logs of all your calls, and a few private photoes to boot.A phone with verified contact information for all your friends, and sellable information on yours and their preferences.A phone that can call any number, including premium-rated ones owned by shady organizations.

A phone which is able to broadcast your real-time location.A phone which has all your mails, all your texts and logs of all your calls, and a few private photoes to boot.A phone with verified contact information for all your friends, and sellable information on yours and their preferences.A phone that can call any number, including premium-rated ones owned by shady organizations.

Yeah. Who cares is someone else gains control of that?

On top of calling pay phone numbers (900 numbers and such) if it copies all your data to a server somewhere you may go over your data plan and have to pay $15 per 200MB transferred or $10 per 1GB transferred depending on your plan.

DataPlus - 200 MB of data for $15 per month

* Designed for people who primarily surf the Web, send email, and use social networking apps.
* On average, 65% of AT&T smartphone customers use less than 200 MB per month
* If you use more than 200 MB, you'll receive an additional 200 MB of data usage for $15, replenished as often as necessary during the billing cycle.

DataPro - 2 GB of data for $25 per month

* Designed for people who regularly download or stream music and video, or use other high bandwidth applications
* 98% of AT&T smartphone customers use less than 2 GB in a month on average
* If you exceed 2 GB, you'll get an additional 1 GB of data for only $10. Each time an additional 1 GB is used up during a cycle, you will automatically receive another 1 GB at the same low price.

You know I don't need a security exploit to cause iPhone/iPad users trouble by pushing them over their data plan.

All we need to do is send them e-mails with attachments and it just so happens that I have a long list of iPad users I purchased from my Russian friends.

Hey that gives me a great idea. I invest in AT&T stock, take advantage of their pricing scheme by flooding AT&T users with more bits then they can afford, sell the stock after the quarterly profits shoot through the roof. Wow, mak

I am less worried about the sorts of bugs that allow me to jailbreak an iphone and take full control of it than I am worried about the things that Apple does intentionally or allows application vendors to do intentionally. The same goes for Google.

I trust Apple far less than I do the general robustness of Unix in general and Apple flavors in particular.

A phone which is able to broadcast your real-time location.A phone which has all your mails, all your texts and logs of all your calls, and a few private photoes to boot.A phone with verified contact information for all your friends, and sellable information on yours and their preferences.A phone that can call any number, including premium-rated ones owned by shady organizations.

Yeah. Who cares is someone else gains control of that?

Worse, how as a user can you even mitigate this risk?You can't stick it behind a firewall (except on wifi) to detect weird traffic patterns.There is no task manager of any kind (yes stock has very limited multitask but malware can jailbreak to rootkit)There is no booting off a bootdisk to get a checksum of firmware.It's like being logged onto windows with a locked down user account, unable to view the OS in any way.

The only thing as a user you can do is monitor your bills closely for unusual patterns.

Exactly. Heck, by their own admission it's speculation. From TFA: "It's unclear how many, if any, of the vulnerabilities patched this week affect Apple's iPad." Which is definitely a far cry from the horrors the article's title implies.

Exactly. Heck, by their own admission it's speculation. From TFA: "It's unclear how many, if any, of the vulnerabilities patched this week affect Apple's iPad." Which is definitely a far cry from the horrors the article's title implies.

Exactly. Heck, by their own admission it's speculation. From TFA: "It's unclear how many, if any, of the vulnerabilities patched this week affect Apple's iPad." Which is definitely a far cry from the horrors the article's title implies.

This is the new journalism - don't give facts, give possibilities and raise questions - you can sound much scarier and it's not saying anything that's false because all you did was say something was possible.

New iPhone may be made from the bones of children! Does Steve Jobs drink the blood of 15 virgins before bed each night? Find out more after the page break!

Really? So Android has no bugs/exploits in it? The various phone vendors that add their own code to the Android base also didn't introduce any bugs/exploits? And let me guess, the linux kernel has never had an exploit fixed?

ALL software has this problem. Open Source means it is much easier to bring them to light instead of depending on a proprietary vendor's announcement. Open Source does not mean the software doesn't have bugs/exploits.

Of course Android has bugs. In fact, it's based on WebKit and so it has many of the SAME bugs that the iOS does because many of these patched bugs are in WebKit.

Like you said, bugs are nearly unavoidable. All you can do is try your best to code well in the first place and then fix them when you find out you still have a few that you missed. They key really is the severity of the bugs, are they so blatant that they make the device unusable or trivial to exploit? Obviously the bugs aren't so bad in iOS because the devices still work well and there isn't any serious malware out there yet.

It's most likely that one of these days there will be a major bug/security flaw. We'll see how Apple handles that but so far their track record is fairly decent.

In fact, you might have much more trouble getting those bug fixes on your android phone depending on the level of customization your phone requires and the phone manufacturers willingness to roll up a patch with the latest version of Android.

The critical difference is that Google and FOSS are pretty damn quick in fixing bugs. Apple and to a lesser extent Microsoft are happy to leave known bugs and vulnerabilities unpatched for months or even years. Google fixes Android bugs in short order. Bugfix versions like 1.1 and 2.01 dropped very quickly after their parent releases.

Yes like 50 of the bugs were with WebKit. If WebKit was open source, someone would have found it sooner. Oh wait, it IS open source. And Android uses WebKit. . . so I guess that defeats your arguments.